Questions about using SSL

I have some questions about SSL.
1)If I use SSL for my Website, does that also mean that I will also be using "https" instead of "http"?
 2)What are the risk of using my own created SSL certificate, rather than paying a provider like Verisign?
3) When an application user logs in using SSL is the server side username and password encrypted?
4) Why don't all software shops use SSL as it seems to be the most secure method for username and password authentication?
LVL 2
brgdotnetcontractorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Najam UddinCommented:
1. Yes you will be using https when using SSL. Infact HTTPS is  HTTP over SSL
2. Your certificated is just like you issuing SSN or your passport to your self. Who will take responsibility that you are authentic party.
3. Every communication in ssl is encrypted, that is what ssl is for.
4. Because SSL is not cheap, it comes with cost, more reliable is provider more is the cost.

Hope i cleared it.
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Michael FowlerSolutions ConsultantCommented:
1/ Yes, although you can allow http as well as https if desired
2/ Modern browsers will display an error page when you access a page using a self signed certificate in addition they introduce a number of security issues https://en.wikipedia.org/wiki/Self-signed_certificate
3/ SSL encrypts the data being sent between the client and server machines. Once the data reaches the receiving machine it is decrypted for use. So effectively usernames and passwords are only encrypted in transit
4/ SSL adds a layer of complexity and  cost and in some cases the overhead of SSL could slow response times. The question to ask your self is, what is likelyhood and impact of a hacker accessing the secure section of your site and then make a call if the added expense is worth it
0
Phil DavidsonCommented:
1)  Yes
2)  If you don't protect the Certificate Authority server, e.g., with a firewall, an antivirus application, maybe an IDS, the added security isn't as good.  Verisign certificates are secure.  To mitigate the risk, put the CA behind a firewall (quite secure), in the DMZ (somewhat secure), make sure it is a Linux/Unix server, or Windows server with an antivirus.
3)  SSL authentication can be done with no usernames and no passwords.  SSL does support encryption however.
4)  Good question.  They should.  For certain matters like subscribing to newsletters, the threats and risks aren't substantial.  I think that more websites should support encryption etc.  Many people use email in ways that they shouldn't.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SSL / HTTPS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.